| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Law15-F17itnXeRgSrI0000821b@hotmail.com>
Date: Thu, 08 May 2003 17:35:46 +0200
From: "Frog Man" <leseulfrog@...mail.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: miniPortail (PHP) : Admin Access
Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.aldweb.com/
Version : 1.9, 2.0, 2.1, 2.2 (and less ?)
Problem : Admin Access
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
admin/admin.php :
-----------------------------------------------------------------------------------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");
if (md5($pass) == $mdp) {
setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
setcookie($portalname, "");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) &&
empty($pg)) {
include($chemin."inc/hpage.inc");
htable($admin1, "100%");
[...]
}
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
if (file_exists("inc/".$pg.".inc")) {
$chemin = "../";
include("inc/".$pg.".inc");
}
[...]
-----------------------------------------------------------------------------------------------------------------------------
Exploit :
°°°°°°°
Set a cookie named miniPortailAdmin with for value "adminok" on
http://[target]/admin/admin.php
Solution :
°°°°°°°°°
A patch has been created and can be found on http://www.phpsecure.info .
In admin/admin.php, replace the lines :
-------------------------------------------------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");
if (md5($pass) == $mdp) {
setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
setcookie($portalname, "");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) &&
empty($pg)) {
[...]
-------------------------------------------------------------------------------------------
by :
---------------------------------------------------------------------------------------
include("mdp.php");
session_start();
$miniPortailAdmin = "";
if (md5($pass) == $mdp) {
$miniPortailAdmin = "adminok";
session_register("miniPortailAdmin");
}
elseif ($logout == 1) {
session_unregister("miniPortailAdmin");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) &&
empty($pg)) {
---------------------------------------------------------------------------------------
and the line :
------------------------------------------------------------------------
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
------------------------------------------------------------------------
by :
--------------------------------------------------------------------
elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) {
--------------------------------------------------------------------
More Details :
°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/miniPortail.txt
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.fr.msn.be
Powered by blists - more mailing lists